Creating unique tokens

marciokoko

I have a form in html/php. A user needs to fill it out and hit submit. This calls a php script to create a name for it, encode it as xml and saves that name.xml file on the server. So far I use the mmddyy+1 from the server as the name and save the xml file as that. I need to replace that convention with:

md5(uniqid(mt_rand(), true));

This is sufficient to create a random token which will be used as the name for the xml. That name will be displayed and emailed to the user for later use.

How exactly would I do that?

somevar = md5(uniqid(mt_rand(), true));

and then name the file somevar.xml?

bradgrafelman

marciokoko;10994135 wrote:
How exactly would I do that?

somevar = md5(uniqid(mt_rand(), true));

and then name the file somevar.xml?

Sounds good to me.

marciokoko

ok then the problem lies somewhere else. Here is my code:

$path_dir = "sapps/";

$somevar = md5(uniqid(mt_rand(), true));
$path_dir .= $somevar .".xml";

echo $path_dir. "<br>";

/* Data in Variables ready to be written to an XML file */
$fp = fopen($path_dir,'w+');

$write = fwrite($fp,$xml_document);

if (is_writable($path_dir)) {
              echo "<br>You successfully created your XML file.<br> ;
} else if (!is_writable($path_dir)) {
              echo "file is not writable";
}

/* Loading the created XML file to check contents */
$sites = simplexml_load_file("$path_dir");

echo "<br> Checking the loaded file <br>" .$path_dir. "<br>";
print_r($sites);
}

and i get this as a result:

SAVING FILE...sapps/dc7077b3e767e8910edbeaf247451102.xml
file is not writable
Checking the loaded file
sapps/dc7077b3e767e8910edbeaf247451102.xml

But the file doesn't exist on the server. So it wasn't created. So I had to make the folder 777 and it worked. That doesn't seem safe, does it?

bradgrafelman

marciokoko;10994145 wrote:
So I had to make the folder 777 and it worked. That doesn't seem safe, does it?

Well you can't have your cake and eat it too. Either you want other accounts to be able to have write access to that directory or you don't.

Of course, since you're concerned about security even in the slightest, I'm guessing that means you aren't on a shared host, right?? 😉

marciokoko

Yes I am...why?

bradgrafelman

Because it's a bit silly to be doing so. When I think of security, the first thing that comes to mind isn't sharing a server (to which I have no root access) with an unknown number of different users .

Still, some shared hosts can be slightly better than others. For example, if I were forced to use a shared server and still attempt to be conscientiousness about security, I would look for one that uses something like suPHP and the Suhosin patch for PHP.

The former, for example, would eliminate the need to give write access to 'group' or 'others' on a given directory just so PHP can write to it; suPHP would cause the scripts to be executed under the context of your user account, thus it can write to any directories you ('owner') can. However, there are possible performance implications involved with such a setup, but then again if we're talking about a shared server then I can assume performance wasn't the biggest concern either.